Hello,
I have been accessing ZM over a VPN until now on the phone (zmninja). However, putting VPN on family members mobiles is demanding. I was wondering how safe is to expose ZoneMinder on the internet. I will have letsencrypt certificates and will also use ZM authentication.
WAN access, security?
-
Maximo1970
- Posts: 97
- Joined: Sun May 28, 2017 4:29 pm
Re: WAN access, security?
Like with anything facing the Internet your going to get people poking around.
Firstly make sure you have strong passwords in place, mix uppercase, lowercase, numbers and special characters. Setup a reverse proxy, such as NGINX and add another layer of security there. Also make sure that your user accounts have the least amount of access as possible. If they don't need to use a function, then remove it from them. You can also restrict what networks have access via the reverse proxy, which will give you a little more admin work, but will again increase your security.
Hopefully that's give you a few pointers.
Firstly make sure you have strong passwords in place, mix uppercase, lowercase, numbers and special characters. Setup a reverse proxy, such as NGINX and add another layer of security there. Also make sure that your user accounts have the least amount of access as possible. If they don't need to use a function, then remove it from them. You can also restrict what networks have access via the reverse proxy, which will give you a little more admin work, but will again increase your security.
Hopefully that's give you a few pointers.
Re: WAN access, security?
Thanks for the tips. I have a NGINX reverse proxy in front of ZM. What do you mean by, "and add another layer of security there"?
I have setup a 'view' only user account which is on the mobile phones.
Are you suggesting to use geoip with nginx?
I have setup a 'view' only user account which is on the mobile phones.
Are you suggesting to use geoip with nginx?
-
Maximo1970
- Posts: 97
- Joined: Sun May 28, 2017 4:29 pm
Re: WAN access, security?
Adding GeoIP is one option, the other would be to setup authentication at the NGINX level. So users would have to effectively authenticate twice to logon to your ZM server.
-
incompetent-nerd
- Posts: 10
- Joined: Sat Jun 13, 2020 4:49 am
Re: WAN access, security?
I use Apache and previously I had logwatch watching the Apache log files for a login.
On a login, I would get an email that someone logged in (username/IP).
If a strange IP showed up, I would know to investigate (fortunately it never happened).
It was just my wife and I logging in, so I would get maybe 1 or 2 emails per week.
If you have many family members logging in, your inbox could be flooded.
You could take Maximo1970's idea of GeoIP and incorporate a script with logwatch so that only logins with IP addresses outside of your country would be emailed to you.
Just a thought...
On a login, I would get an email that someone logged in (username/IP).
If a strange IP showed up, I would know to investigate (fortunately it never happened).
It was just my wife and I logging in, so I would get maybe 1 or 2 emails per week.
If you have many family members logging in, your inbox could be flooded.
You could take Maximo1970's idea of GeoIP and incorporate a script with logwatch so that only logins with IP addresses outside of your country would be emailed to you.
Just a thought...